园区网核心、防火墙、边界出口冗余实验配置
Campus Network Redundancy Configuration v 1.0
1. 实验前准备
1.1 实验环境
Pnetlab Version 4.2.9
1.2 设备镜像(图中标蓝部分)
2. 拓扑及规划
2.1 拓扑图
2.2 设备配置信息
2.3 IP地址及链路连接规划
2.3.1 汇聚层
2.3.2 核心层
2.3.3 边界
2.3.4 接入层
3. 设备配置
3.1 WAN1、WAN2、MGMT三个出口配置
3.1.1 主要使用虚机三块虚拟网卡模拟3个出口
3.2 边界配置
3.2.1 SW_MAIN配置
hostname SW_Main ! username admin privilege 15 password 7 02250D480809 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport access vlan 11 switchport mode access ! interface Ethernet0/1 no shutdown switchport access vlan 11 switchport trunk encapsulation dot1q switchport mode access ! interface Ethernet0/2 no shutdown switchport access vlan 12 switchport mode access ! interface Ethernet0/3 no shutdown switchport access vlan 11 switchport trunk encapsulation dot1q switchport mode access ! interface Ethernet1/0 no shutdown switchport access vlan 12 switchport mode access ! interface Ethernet1/1 no shutdown switchport access vlan 13 switchport mode access ! interface Ethernet5/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet5/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet5/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet5/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Vlan10 no shutdown no ip address ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.21 255.255.255.0 ! interface Vlan20 no shutdown no ip address ! interface Vlan30 no shutdown no ip address ! interface Vlan40 no shutdown no ip address ! interface Vlan50 no shutdown no ip address ! interface Vlan60 no shutdown no ip address ! interface Vlan100 no shutdown no ip address ! line vty 0 4 login local
3.2.2 SW_Backup配置
service password-encryption ! hostname SW_Backup ! username admin privilege 15 password 7 096F471A1A0A ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport access vlan 12 switchport mode access ! interface Ethernet0/1 no shutdown switchport access vlan 11 switchport trunk encapsulation dot1q switchport mode access ! interface Ethernet0/2 no shutdown switchport access vlan 12 switchport mode access ! interface Ethernet0/3 no shutdown switchport access vlan 11 switchport trunk encapsulation dot1q switchport mode access ! interface Ethernet1/0 no shutdown switchport access vlan 12 switchport mode access ! interface Ethernet5/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet5/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet5/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet5/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.22 255.255.255.0 ! line vty 0 4 login local
3.2.3 Firewall1配置
***两台防火墙配置为A-P HA模式,有关HA的配置请查阅FortiGate相关文档,HA配置完成后两台防火墙配置完全一样,且会自动同步配置
3.3 核心层配置
3.3.1 Core1配置
service password-encryption ! hostname Core1 ! username admin privilege 15 password 7 13261E010803 ! ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.250 dns-server 61.177.7.1 lease 0 8 ! track 10 ip sla 10 reachability ! track 13 ip sla 13 reachability ! track 20 ip sla 20 reachability ! track 30 ip sla 30 reachability ! track 40 ip sla 40 reachability ! track 50 ip sla 50 reachability ! track 60 ip sla 60 reachability ! track 100 ip sla 100 reachability ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/0 no shutdown switchport access vlan 100 switchport mode access negotiation auto ! interface GigabitEthernet0/1 no shutdown switchport access vlan 100 switchport mode access negotiation auto ! interface GigabitEthernet0/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto ! interface GigabitEthernet0/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto ! interface GigabitEthernet1/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk speed 1000 duplex full no negotiation auto ! interface GigabitEthernet1/1 no shutdown switchport access vlan 13 switchport mode access negotiation auto ! interface GigabitEthernet1/2 no shutdown switchport access vlan 13 switchport mode access negotiation auto ! interface GigabitEthernet1/3 no shutdown switchport access vlan 13 switchport mode access negotiation auto ! interface GigabitEthernet2/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface GigabitEthernet2/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface GigabitEthernet2/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface GigabitEthernet2/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface Vlan10 no shutdown ip address 192.168.10.252 255.255.255.0 vrrp 10 ip 192.168.10.250 vrrp 10 priority 109 vrrp 10 authentication text Cisco vrrp 10 track 10 decrement 11 ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.252 255.255.255.0 vrrp 13 ip 13.172.1.250 vrrp 13 priority 109 vrrp 13 authentication text Cisco vrrp 13 track 13 decrement 11 ! interface Vlan20 no shutdown ip address 192.168.20.252 255.255.255.0 vrrp 20 ip 192.168.20.250 vrrp 20 priority 109 vrrp 20 authentication text Cisco vrrp 20 track 20 decrement 11 ! interface Vlan30 no shutdown ip address 192.168.30.252 255.255.255.0 vrrp 30 ip 192.168.30.250 vrrp 30 priority 109 vrrp 30 authentication text Cisco vrrp 30 track 30 decrement 11 ! interface Vlan40 no shutdown ip address 192.168.40.252 255.255.255.0 vrrp 40 ip 192.168.40.250 vrrp 40 priority 109 vrrp 40 authentication text Cisco vrrp 40 track 40 decrement 11 ! interface Vlan50 no shutdown ip address 192.168.50.252 255.255.255.0 vrrp 50 ip 192.168.50.250 vrrp 50 priority 109 vrrp 50 authentication text Cisco vrrp 50 track 50 decrement 11 ! interface Vlan60 no shutdown ip address 192.168.60.252 255.255.255.0 vrrp 60 ip 192.168.60.250 vrrp 60 priority 109 vrrp 60 authentication text Cisco vrrp 60 track 60 decrement 11 ! interface Vlan100 no shutdown description To_Firewall ip address 192.168.100.252 255.255.255.0 vrrp 100 ip 192.168.100.250 vrrp 100 priority 109 vrrp 100 authentication text Cisco vrrp 100 track 100 decrement 11 ! ip route 0.0.0.0 0.0.0.0 192.168.100.254 ! ip sla 10 icmp-echo 192.168.100.254 source-interface Vlan10 frequency 5 ip sla schedule 10 life forever start-time now ip sla 13 icmp-echo 13.172.1.10 source-interface Vlan13 frequency 5 ip sla schedule 13 life forever start-time now ip sla 20 icmp-echo 192.168.100.254 source-interface Vlan20 frequency 5 ip sla schedule 20 life forever start-time now ip sla 30 icmp-echo 192.168.100.254 source-interface Vlan30 frequency 5 ip sla schedule 30 life forever start-time now ip sla 40 icmp-echo 192.168.100.254 source-interface Vlan40 frequency 5 ip sla schedule 40 life forever start-time now ip sla 50 icmp-echo 192.168.100.254 source-interface Vlan50 frequency 5 ip sla schedule 50 life forever start-time now ip sla 60 icmp-echo 192.168.100.254 source-interface Vlan60 frequency 5 ip sla schedule 60 life forever start-time now ip sla 100 icmp-echo 192.168.100.254 source-interface Vlan100 frequency 5 ip sla schedule 100 life forever start-time now ! line vty 0 4 login local
3.3.2 Core2配置
service password-encryption ! hostname Core2 ! ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.250 dns-server 61.177.7.1 lease 0 8 ! ip dhcp pool VLAN60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.250 dns-server 61.177.7.1 lease 0 8 ! track 10 ip sla 10 reachability ! track 20 ip sla 20 reachability ! track 30 ip sla 30 reachability ! track 40 ip sla 40 reachability ! track 50 ip sla 50 reachability ! track 60 ip sla 60 reachability ! track 100 ip sla 100 reachability ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/0 no shutdown switchport access vlan 100 switchport mode access negotiation auto ! interface GigabitEthernet0/1 no shutdown switchport access vlan 100 switchport mode access negotiation auto ! interface GigabitEthernet0/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto ! interface GigabitEthernet0/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto ! interface GigabitEthernet1/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto ! interface GigabitEthernet1/1 no shutdown negotiation auto ! interface GigabitEthernet1/2 no shutdown negotiation auto ! interface GigabitEthernet1/3 no shutdown negotiation auto ! interface GigabitEthernet2/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface GigabitEthernet2/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface GigabitEthernet2/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface GigabitEthernet2/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk negotiation auto channel-group 1 mode on ! interface Vlan10 no shutdown ip address 192.168.10.253 255.255.255.0 vrrp 10 ip 192.168.10.250 vrrp 10 authentication text Cisco vrrp 10 track 10 decrement 11 ! interface Vlan13 no shutdown description MGMT no ip address ! interface Vlan20 no shutdown ip address 192.168.20.253 255.255.255.0 vrrp 20 ip 192.168.20.250 vrrp 20 authentication text Cisco vrrp 20 track 20 decrement 11 ! interface Vlan30 no shutdown ip address 192.168.30.253 255.255.255.0 vrrp 30 ip 192.168.30.250 vrrp 30 authentication text Cisco vrrp 30 track 30 decrement 11 ! interface Vlan40 no shutdown ip address 192.168.40.253 255.255.255.0 vrrp 40 ip 192.168.40.250 vrrp 40 authentication text Cisco vrrp 40 track 40 decrement 11 ! interface Vlan50 no shutdown ip address 192.168.50.253 255.255.255.0 vrrp 50 ip 192.168.50.250 vrrp 50 authentication text Cisco vrrp 50 track 50 decrement 11 ! interface Vlan60 no shutdown ip address 192.168.60.253 255.255.255.0 vrrp 60 ip 192.168.60.250 vrrp 60 authentication text Cisco vrrp 60 track 60 decrement 11 ! interface Vlan100 no shutdown ip address 192.168.100.253 255.255.255.0 vrrp 100 ip 192.168.100.250 vrrp 100 authentication text Cisco vrrp 100 track 100 decrement 11 ! ip route 0.0.0.0 0.0.0.0 192.168.100.254 ! ip sla 10 icmp-echo 192.168.100.254 source-interface Vlan10 frequency 5 ip sla schedule 10 life forever start-time now ip sla 20 icmp-echo 192.168.100.254 source-interface Vlan20 frequency 5 ip sla schedule 20 life forever start-time now ip sla 30 icmp-echo 192.168.100.254 source-interface Vlan30 frequency 5 ip sla schedule 30 life forever start-time now ip sla 40 icmp-echo 192.168.100.254 source-interface Vlan40 frequency 5 ip sla schedule 40 life forever start-time now ip sla 50 icmp-echo 192.168.100.254 source-interface Vlan50 frequency 5 ip sla schedule 50 life forever start-time now ip sla 60 icmp-echo 192.168.100.254 source-interface Vlan60 frequency 5 ip sla schedule 60 life forever start-time now ip sla 100 icmp-echo 192.168.100.254 source-interface Vlan100 frequency 5 ip sla schedule 100 life forever start-time now ! line vty 0 4
3.4 汇聚层配置
3.4.1 Converge1配置
service password-encryption ! hostname Converge1 ! username admin privilege 15 password 7 032752180500 ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet1/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode on ! interface Ethernet1/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode on ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.31 255.255.255.0 no ip route-cache ! line vty 0 4 login local
3.4.2 Converge2配置
service password-encryption ! hostname Converge2 ! username admin privilege 15 password 7 13261E010803 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet1/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode on ! interface Ethernet1/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode on ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.32 255.255.255.0 no ip route-cache ! line vty 0 4 login local
3.4.3 Converge3配置
service password-encryption ! hostname Converge3 ! username admin privilege 15 password 7 01300F175804 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/2 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/3 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet1/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode on ! interface Ethernet1/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode on ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.33 255.255.255.0 ! line vty 0 4 login local
3.5 接入层配置
3.5.1 Acc1配置
service password-encryption ! hostname Acc1 ! username admin privilege 15 password 7 05280F1C2243 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/2 no shutdown switchport access vlan 10 switchport mode access ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.41 255.255.255.0 ! line vty 0 4 login local
3.5.2 Acc2配置
service password-encryption ! hostname Acc2 ! username admin privilege 15 password 7 123A0C041104 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/2 no shutdown switchport access vlan 20 switchport mode access ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.42 255.255.255.0 ! line vty 0 4 login local
3.5.3 Acc3配置
service password-encryption ! hostname Acc3 ! username admin privilege 15 password 7 032752180500 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/2 no shutdown switchport access vlan 30 switchport mode access ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.43 255.255.255.0 ! line vty 0 4 login local
3.5.4 Acc4配置
service password-encryption ! hostname Acc4 ! username admin privilege 15 password 7 032752180500 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/2 no shutdown switchport access vlan 40 switchport mode access ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.44 255.255.255.0 ! line vty 0 4 login local
3.5.5 Acc5配置
service password-encryption ! hostname Acc5 ! username admin privilege 15 password 7 00271A150754 ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/2 no shutdown switchport access vlan 50 switchport mode access ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.45 255.255.255.0 ! line vty 0 4 login local
3.5.6 Acc6配置
service password-encryption ! hostname Acc6 ! username admin privilege 15 password 7 112A1016141D ! no ip routing ! interface Port-channel1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/0 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/1 no shutdown switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface Ethernet0/2 no shutdown switchport access vlan 60 switchport mode access ! interface Vlan13 no shutdown description MGMT ip address 13.172.1.46 255.255.255.0 ! line vty 0 4 login local
